Question

在我的应用程序中，我希望基于url模式实现单独的spring安全性实现。

EG。 / rest / **将拥有自己的身份验证提供程序（基本身份验证）和

/ web / **将拥有自己的身份验证提供程序（表单登录）。

请找到我已完成的以下配置

<?xml version="1.0"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd">

<!-- config for rest services using basic auth-->

<http pattern="/rest/**">
    <intercept-url pattern="/MyAppRestServices" access="permitAll" />
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    <http-basic />
</http>

<!-- AUTHENTICATION MANAGER FOR CUSTOM AUTHENTICATION PROVIDER -->

<authentication-manager alias="authenticationManager">
    <authentication-provider ref="customAuthenticationProvider" />
</authentication-manager>

<!-- config for web using form login--> 

<http pattern="/web/**">
    <intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
    <form-login/>
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="admin" password="nimda" authorities="ROLE_ADMIN" />
        </user-service>
    </authentication-provider>
</authentication-manager>

在上面的配置中，第一个配置工作正常，即带有基本身份验证的restservice但是带有表单登录配置的web无效。它甚至没有拦截网址？

请告诉我上述配置有什么问题？

Answer 1

请参考下面的网络身份验证工作配置::

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security.xsd">

    <http pattern="/css/**" security="none" />
    <http pattern="/images/**" security="none" />
    <http pattern="/js/**" security="none" />

    <http auto-config="false" authentication-manager-ref="dev" use-expressions="true" disable-url-rewriting="true">
        <intercept-url pattern="/admin/login" access="permitAll" />
        <intercept-url pattern="/admin/*" access="isAuthenticated()" />
        <form-login
            login-page="/admin/login"
            default-target-url="/admin/workbench"
            username-parameter="username"
            password-parameter="password"
            authentication-failure-url="/admin/login"
        />
        <logout logout-success-url="/admin/login" logout-url="/j_spring_security_logout" invalidate-session="true" delete-cookies="JSESSIONID" />
    </http>

    <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

    <!-- STATIC USER -->
    <authentication-manager id="dev" alias="authenticationManager">
        <authentication-provider>
            <user-service>
                <user name="abc" password="pwd" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

多弹簧安全配置不起作用

1 个答案: